<!DOCTYPE html>



  


<html class="theme-next pisces use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.9.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="web,">





  <link rel="alternate" href="/atom.xml" title="Mr.赵" type="application/atom+xml">






<meta name="keywords" content="web">
<meta property="og:type" content="article">
<meta property="og:title" content="upload-labs通关手册">
<meta property="og:url" content="https://GodPang.github.io/2019/07/25/upload-labs通关手册/index.html">
<meta property="og:site_name" content="Mr.赵">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-5014bc04e0f2db63.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-5014bc04e0f2db63.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-a769a6d8246ab9ad.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-6c123f786550f222.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-7137537c7cf43444.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-af17eba1e9c6106e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-427715a187b8a8eb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-238f30c9a8fc26e1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-8d2410d48ec18eff.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-ba2bd2a1306f30ca.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-50122edb02b04ba2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-4be124cac114a949.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-9b36b905cc73b77e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-62f2488c35cc0185.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-be18b81b5c3105fb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-3bbe1f2ff6985ae2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-c943887600f3588f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-92bbc8f18bdc12b9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-0b282a491e4ab0c9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-d7d81a63f065b454.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="https://upload-images.jianshu.io/upload_images/11168449-ea938ef2c7924035.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:updated_time" content="2019-07-27T05:25:11.239Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="upload-labs通关手册">
<meta name="twitter:image" content="https://upload-images.jianshu.io/upload_images/11168449-5014bc04e0f2db63.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":true,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://GodPang.github.io/2019/07/25/upload-labs通关手册/">





  <title>upload-labs通关手册 | Mr.赵</title>
  








</head>

<body itemscope="" itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>
    
    <a href="https://GodPang.github.io" class="github-corner" aria-label="View source on Github"><svg width="80" height="80" viewbox="0 0 250 250" style="fill:#151513; color:#fff; position: absolute; top: 0; border: 0; right: 0;" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"/><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"/><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"/></svg></a><style>.github-corner:hover .octo-arm{animation:octocat-wave 560ms ease-in-out}@keyframes octocat-wave{0%,100%{transform:rotate(0)}20%,60%{transform:rotate(-25deg)}40%,80%{transform:rotate(10deg)}}@media (max-width:500px){.github-corner:hover .octo-arm{animation:none}.github-corner .octo-arm{animation:octocat-wave 560ms ease-in-out}}</style>

    <header id="header" class="header" itemscope="" itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Mr.赵</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-首页">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-关于">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      
        
        <li class="menu-item menu-item-标签">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-类别">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            类别
          </a>
        </li>
      
        
        <li class="menu-item menu-item-归档">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope="" itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://GodPang.github.io/2019/07/25/upload-labs通关手册/">

    <span hidden itemprop="author" itemscope="" itemtype="http://schema.org/Person">
      <meta itemprop="name" content="GodPang">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/touxiang.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope="" itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Mr.赵">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">upload-labs通关手册</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2019-07-25T16:06:02+08:00">
                2019-07-25
              </time>
            

            

            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope="" itemtype="http://schema.org/Thing">
                  <a href="/categories/ctf学习笔记/" itemprop="url" rel="index">
                    <span itemprop="name">ctf学习笔记</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
              <span class="post-comments-count">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-comment-o"></i>
                </span>
                <a href="/2019/07/25/upload-labs通关手册/#comments" itemprop="discussionUrl">
                  <span class="post-comments-count valine-comment-count" data-xid="/2019/07/25/upload-labs通关手册/" itemprop="commentCount"></span>
                </a>
              </span>
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="page-pv"><i class="fa fa-eye"></i>
            <span class="busuanzi-value" id="busuanzi_value_page_pv"></span>
            </span>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <html><head><meta name="generator" content="Hexo 3.9.0"></head><body><p><img src="https://upload-images.jianshu.io/upload_images/11168449-5014bc04e0f2db63.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="1.1.png"></p>
<a id="more"></a>
<h2 id="序"><a href="#序" class="headerlink" title="序"></a>序</h2><p>文件上传靶场，搭建了很长时间了，一直没做，刚好最近闲来无事。学习一下</p>
<h2 id="靶场环境"><a href="#靶场环境" class="headerlink" title="靶场环境"></a>靶场环境</h2><p>因为环境的不同导致上传的绕过方法也会不同，在这里说明我搭建的环境信息：操作系统为windows，使用的phpstudy的集成环境，php版本为5.2.17，因为1有些题目涉及到00截断上传。apache配置文件没有修改过，是默认的配置文件</p>
<h2 id="闯关笔记"><a href="#闯关笔记" class="headerlink" title="闯关笔记"></a>闯关笔记</h2><h3 id="Pass-01"><a href="#Pass-01" class="headerlink" title="Pass-01"></a>Pass-01</h3><ol>
<li><p>直接观察源代码，发现不允许上传.php类型文件</p>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//定义允许上传的文件类型</span></span><br><span class="line">   <span class="keyword">var</span> allow_ext = <span class="string">".jpg|.png|.gif"</span>;</span><br></pre></td></tr></tbody></table></figure>
</li>
<li><p>可以直接抓包就可以绕过上传<br><img src="https://upload-images.jianshu.io/upload_images/11168449-5014bc04e0f2db63.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="1.1.png"></p>
</li>
<li><p>查看<br><img src="https://upload-images.jianshu.io/upload_images/11168449-a769a6d8246ab9ad.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="1.2.png"></p>
<h3 id="Pass-02"><a href="#Pass-02" class="headerlink" title="Pass-02"></a>Pass-02</h3></li>
<li><p>查看源码</p>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>])) {</span><br><span class="line">    <span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line">        <span class="keyword">if</span> (($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/jpeg'</span>) || ($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/png'</span>) || ($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>] == <span class="string">'image/gif'</span>)) {</span><br><span class="line">            $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line">            $img_path = UPLOAD_PATH . <span class="string">'/'</span> . $_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]            </span><br><span class="line">            <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line">                $is_upload = <span class="keyword">true</span>;</span><br><span class="line">            } <span class="keyword">else</span> {</span><br><span class="line">                $msg = <span class="string">'上传出错！'</span>;</span><br></pre></td></tr></tbody></table></figure>
</li>
<li><p>Content-Type绕过，直接把Content-Type改为图片类型即可<br><img src="https://upload-images.jianshu.io/upload_images/11168449-6c123f786550f222.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="2.1.png"></p>
</li>
<li><p>上传成功，截图不在赘述</p>
<h3 id="Pass-03"><a href="#Pass-03" class="headerlink" title="Pass-03"></a>Pass-03</h3></li>
<li><p>这一关是另类的文件名的绕过，可以尝试phtml，php3，php4, php5, pht后缀名都可以绕过，但是前提是要在配置文件里面有这样的一句话</p>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">AddType application/x-httpd-php .php .phtml .phps .php5 .pht</span><br></pre></td></tr></tbody></table></figure>

</li>
</ol>
<p><img src="https://upload-images.jianshu.io/upload_images/11168449-7137537c7cf43444.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="3.1.png"></p>
<ol start="2">
<li>源码黑名单<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$deny_ext = <span class="keyword">array</span>(<span class="string">'.asp'</span>,<span class="string">'.aspx'</span>,<span class="string">'.php'</span>,<span class="string">'.jsp'</span>);</span><br></pre></td></tr></tbody></table></figure>

</li>
</ol>
<h3 id="Pass-04"><a href="#Pass-04" class="headerlink" title="Pass-04"></a>Pass-04</h3><p>1.看一下他过滤的名单，上面的方法已经不行了</p>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">"php1"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">"pHp1"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>);</span><br></pre></td></tr></tbody></table></figure>

<ol start="2">
<li>但是<code>.htaccess</code>还是没有过滤，可以重写文件解析规则绕过，上传一个<code>.htaccess</code>，文件内容如下，就是在upload目录下匹配gg.jpg的文件并以php文件执行<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><filesmatch <span="" class="string">"gg.jpg"</filesmatch></span>><br><span class="line">SetHandler application/x-httpd-php</span><br><span class="line"></span><br></pre></td></tr></tbody></table></figure>

</li>
</ol>
<p><img src="https://upload-images.jianshu.io/upload_images/11168449-af17eba1e9c6106e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="4.1.png"></p>
<ol start="3">
<li>然后再上传一个名字为gg.jpg的脚本<br><img src="https://upload-images.jianshu.io/upload_images/11168449-427715a187b8a8eb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="4.2.png"></li>
<li>访问，成功上传<h3 id="Pass-05"><a href="#Pass-05" class="headerlink" title="Pass-05"></a>Pass-05</h3></li>
<li>这一题里面多过滤了<code>.htaccess</code>，如何绕过呢？</li>
<li>对比代码发现去掉了转换为小写，部分代码</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br></pre></td></tr></tbody></table></figure>

<ol start="3">
<li><p>文件后缀大小写混合过滤<br><img src="https://upload-images.jianshu.io/upload_images/11168449-238f30c9a8fc26e1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="5.1.png"></p>
<h3 id="Pass-06"><a href="#Pass-06" class="headerlink" title="Pass-06"></a>Pass-06</h3></li>
<li><p>这一关比第五关少了这样的一句代码</p>
</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br></pre></td></tr></tbody></table></figure>

<ol start="2">
<li><p>后缀名+空格的形式去绕过<br><img src="https://upload-images.jianshu.io/upload_images/11168449-8d2410d48ec18eff.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="6.1.png"></p>
<h3 id="Pass-07"><a href="#Pass-07" class="headerlink" title="Pass-07"></a>Pass-07</h3></li>
<li><p>对比第6题的代码可以发现少了下面一句代码</p>
</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"> $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"><span class="number">1</span></span><br></pre></td></tr></tbody></table></figure>

<ol start="2">
<li>既然没有对文件最后的点做过滤，可以尝试以后缀名加上点的形式去绕过<br><img src="https://upload-images.jianshu.io/upload_images/11168449-ba2bd2a1306f30ca.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="7.1.png"></li>
</ol>
<h3 id="Pass-08"><a href="#Pass-08" class="headerlink" title="Pass-08"></a>Pass-08</h3><ol>
<li>这一题的代码比上一次少了下面这一段代码</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br></pre></td></tr></tbody></table></figure>

<ol start="2">
<li>文件后缀 + ::$DATA 绕过<br><img src="https://upload-images.jianshu.io/upload_images/11168449-50122edb02b04ba2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="8.1.png"></li>
</ol>
<h3 id="Pass-09"><a href="#Pass-09" class="headerlink" title="Pass-09"></a>Pass-09</h3><ol>
<li>这一关像是前几关的组合拳</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (file_exists(UPLOAD_PATH)) {</span><br><span class="line">        $deny_ext = <span class="keyword">array</span>(<span class="string">".php"</span>,<span class="string">".php5"</span>,<span class="string">".php4"</span>,<span class="string">".php3"</span>,<span class="string">".php2"</span>,<span class="string">".html"</span>,<span class="string">".htm"</span>,<span class="string">".phtml"</span>,<span class="string">".pht"</span>,<span class="string">".pHp"</span>,<span class="string">".pHp5"</span>,<span class="string">".pHp4"</span>,<span class="string">".pHp3"</span>,<span class="string">".pHp2"</span>,<span class="string">".Html"</span>,<span class="string">".Htm"</span>,<span class="string">".pHtml"</span>,<span class="string">".jsp"</span>,<span class="string">".jspa"</span>,<span class="string">".jspx"</span>,<span class="string">".jsw"</span>,<span class="string">".jsv"</span>,<span class="string">".jspf"</span>,<span class="string">".jtml"</span>,<span class="string">".jSp"</span>,<span class="string">".jSpx"</span>,<span class="string">".jSpa"</span>,<span class="string">".jSw"</span>,<span class="string">".jSv"</span>,<span class="string">".jSpf"</span>,<span class="string">".jHtml"</span>,<span class="string">".asp"</span>,<span class="string">".aspx"</span>,<span class="string">".asa"</span>,<span class="string">".asax"</span>,<span class="string">".ascx"</span>,<span class="string">".ashx"</span>,<span class="string">".asmx"</span>,<span class="string">".cer"</span>,<span class="string">".aSp"</span>,<span class="string">".aSpx"</span>,<span class="string">".aSa"</span>,<span class="string">".aSax"</span>,<span class="string">".aScx"</span>,<span class="string">".aShx"</span>,<span class="string">".aSmx"</span>,<span class="string">".cEr"</span>,<span class="string">".sWf"</span>,<span class="string">".swf"</span>,<span class="string">".htaccess"</span>);</span><br><span class="line">        $file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line">        $file_name = deldot($file_name);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line">        $file_ext = strrchr($file_name, <span class="string">'.'</span>);</span><br><span class="line">        $file_ext = strtolower($file_ext); <span class="comment">//转换为小写</span></span><br><span class="line">        $file_ext = str_ireplace(<span class="string">'::$DATA'</span>, <span class="string">''</span>, $file_ext);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line">        $file_ext = trim($file_ext); <span class="comment">//首尾去空</span></span><br></pre></td></tr></tbody></table></figure>

<ol start="2">
<li>可以遵循着他的步骤去实现自己的payload，可以这样设置<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">09.</span>phP. .</span><br></pre></td></tr></tbody></table></figure>

</li>
</ol>
<p><img src="https://upload-images.jianshu.io/upload_images/11168449-4be124cac114a949.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="9.1.png"></p>
<h3 id="Pass-10"><a href="#Pass-10" class="headerlink" title="Pass-10"></a>Pass-10</h3><ol>
<li>关键过滤的代码就这两句</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$file_name = trim($_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>]);</span><br><span class="line">   $file_name = str_ireplace($deny_ext,<span class="string">""</span>, $file_name);</span><br></pre></td></tr></tbody></table></figure>

<ol start="2">
<li>双写绕过<br><img src="https://upload-images.jianshu.io/upload_images/11168449-9b36b905cc73b77e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="10.1.png"><h3 id="Pass-11"><a href="#Pass-11" class="headerlink" title="Pass-11"></a>Pass-11</h3></li>
<li>关键的代码在于这里的’save_path’是一个可控的变量，但是后面还拼接上一个后缀名，也需要绕过</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$img_path = $_GET[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br></pre></td></tr></tbody></table></figure>

<ol start="2">
<li>这个时候可以使用%00截断，但这东西有点过气了，因为需要两个条件</li>
</ol>
<figure class="highlight plain"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">php版本小于5.3.4</span><br><span class="line">php的magic_quotes_gpc为OFF状态</span><br></pre></td></tr></tbody></table></figure>

<ol start="3">
<li><p>如果要完成这一个题目就必须要实现上面的两个条件，但是现在都PHP7了，这东西也就很少见了，满足上面的条件的时候php就是把它当成结束符，后面的数据直接忽略，这也导致了很多的问题，文件包含也可以利用这一点</p>
</li>
<li><p>所以如果要绕过，我们可以这样去实现，另<code>save_path</code>等于<code>../upload/11.php%00</code></p>
</li>
</ol>
<p><img src="https://upload-images.jianshu.io/upload_images/11168449-62f2488c35cc0185.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="11.1.png"></p>
<h3 id="Pass-12"><a href="#Pass-12" class="headerlink" title="Pass-12"></a>Pass-12</h3><ol>
<li>这里的源代码就改了一点点，就是把get改为post类型，一样的方式绕过，只不过这里需要在二进制里面修改%00，因为post不会像get对%00进行自动解码。</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$img_path = $_POST[<span class="string">'save_path'</span>].<span class="string">"/"</span>.rand(<span class="number">10</span>, <span class="number">99</span>).date(<span class="string">"YmdHis"</span>).<span class="string">"."</span>.$file_ext;</span><br></pre></td></tr></tbody></table></figure>

<p><img src="https://upload-images.jianshu.io/upload_images/11168449-be18b81b5c3105fb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="12.1.png"></p>
<h3 id="Pass-13"><a href="#Pass-13" class="headerlink" title="Pass-13"></a>Pass-13</h3><ol>
<li>这里可以发现源代码只是用了unpack这一个函数去实现对于php前两个字节的检测，也就是只是对文件头做检测。。。</li>
</ol>
<figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$bin = fread($file, <span class="number">2</span>); <span class="comment">//只读2字节</span></span><br><span class="line">    fclose($file);</span><br><span class="line">    $strInfo = @unpack(<span class="string">"C2chars"</span>, $bin);</span><br></pre></td></tr></tbody></table></figure>

<ol start="2">
<li>直接上传 在bp中构造 shell<br><img src="https://upload-images.jianshu.io/upload_images/11168449-3bbe1f2ff6985ae2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="13.1.png"></li>
<li>把该图片上传上去，尝试文件包含，成功回显<figure class="highlight html"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://192.168.3.8/bachang/shangchuan/include.php?file=./upload/9920190725190903.gif</span><br></pre></td></tr></tbody></table></figure>

</li>
</ol>
<h3 id="Pass-14"><a href="#Pass-14" class="headerlink" title="Pass-14"></a>Pass-14</h3><ol>
<li><p>用了<code>getimagesize</code>函数来对文件类型做判断<br><img src="https://upload-images.jianshu.io/upload_images/11168449-c943887600f3588f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="14.1.png"></p>
<h3 id="Pass-15"><a href="#Pass-15" class="headerlink" title="Pass-15"></a>Pass-15</h3></li>
<li><p>同理</p>
<h3 id="Pass-16"><a href="#Pass-16" class="headerlink" title="Pass-16"></a>Pass-16</h3></li>
<li><p>具体针对二次渲染的上传绕过可以看这篇文章<a href="https://xz.aliyun.com/t/2657#toc-12" target="_blank" rel="noopener">upload-labs之pass 16详细分析</a>，我试了下gif文件的绕过</p>
</li>
<li><p>先上传一个gif文件，修改没有二次渲染后没有变动的地方。插入shell<br><img src="https://upload-images.jianshu.io/upload_images/11168449-92bbc8f18bdc12b9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="16.1.png"></p>
</li>
<li><p>利用文件包含成功执行php语句<br><img src="https://upload-images.jianshu.io/upload_images/11168449-0b282a491e4ab0c9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="16.2.png"></p>
<h3 id="Pass-17和18"><a href="#Pass-17和18" class="headerlink" title="Pass-17和18"></a>Pass-17和18</h3></li>
<li><p>条件竞争上传</p>
<h3 id="Less-19"><a href="#Less-19" class="headerlink" title="Less-19"></a>Less-19</h3></li>
<li><p>这一关正常做法应该是CVE-2015-2348 <code>move_uploaded_file()</code>00截断，上传webshell，同时自定义保存名称，上传的文件名用0x00绕过。改成<code>xx.php【二进制00】jpg</code></p>
</li>
<li><p><code>move_uploaded_file()</code>函数中的<code>_img_path_</code>是由post参数<code>save_name</code>控制的，因此可以在<code>save_name</code>利用00截断绕过<br><img src="https://upload-images.jianshu.io/upload_images/11168449-d7d81a63f065b454.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="19.1.png"></p>
<h3 id="Pass-20"><a href="#Pass-20" class="headerlink" title="Pass-20"></a>Pass-20</h3><figure class="highlight php"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line">$is_upload = <span class="keyword">false</span>;</span><br><span class="line">$msg = <span class="keyword">null</span>;</span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">empty</span>($_FILES[<span class="string">'upload_file'</span>])){</span><br><span class="line">    <span class="comment">//检查MIME</span></span><br><span class="line">    $allow_type = <span class="keyword">array</span>(<span class="string">'image/jpeg'</span>,<span class="string">'image/png'</span>,<span class="string">'image/gif'</span>);</span><br><span class="line">    <span class="keyword">if</span>(!in_array($_FILES[<span class="string">'upload_file'</span>][<span class="string">'type'</span>],$allow_type)){</span><br><span class="line">        $msg = <span class="string">"禁止上传该类型文件!"</span>;</span><br><span class="line">    }<span class="keyword">else</span>{</span><br><span class="line">        <span class="comment">//检查文件名</span></span><br><span class="line">        $file = <span class="keyword">empty</span>($_POST[<span class="string">'save_name'</span>]) ? $_FILES[<span class="string">'upload_file'</span>][<span class="string">'name'</span>] : $_POST[<span class="string">'save_name'</span>];</span><br><span class="line">        <span class="keyword">if</span> (!is_array($file)) {</span><br><span class="line">            $file = explode(<span class="string">'.'</span>, strtolower($file));</span><br><span class="line">        }</span><br><span class="line"></span><br><span class="line">        $ext = end($file);</span><br><span class="line">        $allow_suffix = <span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'png'</span>,<span class="string">'gif'</span>);</span><br><span class="line">        <span class="keyword">if</span> (!in_array($ext, $allow_suffix)) {</span><br><span class="line">            $msg = <span class="string">"禁止上传该后缀文件!"</span>;</span><br><span class="line">        }<span class="keyword">else</span>{</span><br><span class="line">            $file_name = reset($file) . <span class="string">'.'</span> . $file[count($file) - <span class="number">1</span>];</span><br><span class="line">            $temp_file = $_FILES[<span class="string">'upload_file'</span>][<span class="string">'tmp_name'</span>];</span><br><span class="line">            $img_path = UPLOAD_PATH . <span class="string">'/'</span> .$file_name;</span><br><span class="line">            <span class="keyword">if</span> (move_uploaded_file($temp_file, $img_path)) {</span><br><span class="line">                $msg = <span class="string">"文件上传成功！"</span>;</span><br><span class="line">                $is_upload = <span class="keyword">true</span>;</span><br><span class="line">            } <span class="keyword">else</span> {</span><br><span class="line">                $msg = <span class="string">"文件上传失败！"</span>;</span><br><span class="line">            }</span><br><span class="line">        }</span><br><span class="line">    }</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line">    $msg = <span class="string">"请选择要上传的文件！"</span>;</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>

</li>
</ol>
<p>首先end函数取所post参数数组中的最后一个值，<code>_$file_name = reset($file) . '.' . $file[count($file) - 1]_</code>我们可以post一个参数名为一个[0]一个[2]，然后$file[count($file) - 1]就为空，$file_name最终就为reset($file)即$file[0]，就可以绕过判断<br><img src="https://upload-images.jianshu.io/upload_images/11168449-ea938ef2c7924035.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="20.1.png"></p>
</body></html>
      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/web/" rel="tag"># web</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/05/01/JavaScript/" rel="next" title="JavaScript">
                <i class="fa fa-chevron-left"></i> JavaScript
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/07/27/docker环境搭建/" rel="prev" title="docker环境搭建">
                docker环境搭建 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  
    <div class="comments" id="comments">
    </div>
  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope="" itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/images/touxiang.jpg" alt="GodPang">
            
              <p class="site-author-name" itemprop="name">GodPang</p>
              <p class="site-description motion-element" itemprop="description">一只一直在努力的胖子</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives">
              
                  <span class="site-state-item-count">23</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">7</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">11</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          
            <div class="feed-link motion-element">
              <a href="/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/GodPang" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="https://www.jianshu.com/u/c8a45218e240" target="_blank" title="简书">
                      
                        <i class="fa fa-fw fa-book"></i>简书</a>
                  </span>
                
            </div>
          

          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                Links
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://lengjibo.github.io/" title="冷逸" target="_blank">冷逸</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://test482.github.io" title="Eliot's Blog" target="_blank">Eliot's Blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://prontosil.club/" title="百浪多息" target="_blank">百浪多息</a>
                  </li>
                
              </ul>
            </div>
          

          <div id="music163player">
    <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="330" height="86" src="//music.163.com/outchain/player?type=2&id=38592976&auto=1&height=66"></iframe>
</div>

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#序"><span class="nav-number">1.</span> <span class="nav-text">序</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#靶场环境"><span class="nav-number">2.</span> <span class="nav-text">靶场环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#闯关笔记"><span class="nav-number">3.</span> <span class="nav-text">闯关笔记</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-01"><span class="nav-number">3.1.</span> <span class="nav-text">Pass-01</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-02"><span class="nav-number">3.2.</span> <span class="nav-text">Pass-02</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-03"><span class="nav-number">3.3.</span> <span class="nav-text">Pass-03</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-04"><span class="nav-number">3.4.</span> <span class="nav-text">Pass-04</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-05"><span class="nav-number">3.5.</span> <span class="nav-text">Pass-05</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-06"><span class="nav-number">3.6.</span> <span class="nav-text">Pass-06</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-07"><span class="nav-number">3.7.</span> <span class="nav-text">Pass-07</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-08"><span class="nav-number">3.8.</span> <span class="nav-text">Pass-08</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-09"><span class="nav-number">3.9.</span> <span class="nav-text">Pass-09</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-10"><span class="nav-number">3.10.</span> <span class="nav-text">Pass-10</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-11"><span class="nav-number">3.11.</span> <span class="nav-text">Pass-11</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-12"><span class="nav-number">3.12.</span> <span class="nav-text">Pass-12</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-13"><span class="nav-number">3.13.</span> <span class="nav-text">Pass-13</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-14"><span class="nav-number">3.14.</span> <span class="nav-text">Pass-14</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-15"><span class="nav-number">3.15.</span> <span class="nav-text">Pass-15</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-16"><span class="nav-number">3.16.</span> <span class="nav-text">Pass-16</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-17和18"><span class="nav-number">3.17.</span> <span class="nav-text">Pass-17和18</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Less-19"><span class="nav-number">3.18.</span> <span class="nav-text">Less-19</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Pass-20"><span class="nav-number">3.19.</span> <span class="nav-text">Pass-20</span></a></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>
    


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2018 &mdash; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">GodPang</span>

  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Pisces</a> v5.1.4</div>



  <div class="footer-custom">Hosted by <a target="_blank" rel="external nofollow" href="https://pages.github.com/">GitHub Pages</a></div>


        
<div class="busuanzi-count">
  <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  
    <span class="site-uv">
      <i class="fa fa-user"></i>
      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
      
    </span>
  

  
    <span class="site-pv">
      <i class="fa fa-eye"></i>
      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
      
    </span>
  
</div>








        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
          <span id="scrollpercent"><span>0</span>%</span>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  










  <script src="//cdn1.lncld.net/static/js/3.0.4/av-min.js"></script>
  <script src="//unpkg.com/valine/dist/Valine.min.js"></script>
  
  <script type="text/javascript">
    var GUEST = ['nick','mail','link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item=>{
      return GUEST.indexOf(item)>-1;
    });
    new Valine({
        el: '#comments' ,
        verify: false,
        notify: false,
        appId: 'RAQiIXnddbLLbBRiBcDuJo3j-gzGzoHsz',
        appKey: 'rhBtL6nW6zYrDqLcVsPX4M51',
        placeholder: '大佬勿喷，文明交流',
        avatar:'mm',
        guest_info:guest,
        pageSize:'10' || 10,
    });
  </script>



  





  

  

  

  
  

  

  

  

<!-- 页面点击小红心 -->
<script type="text/javascript" src="/js/src/clicklove.js"></script>

</body>
</html>
